This is definitely a bug. However, the fix is not so simple, because we are using 'startswith' to check the referer, and with the proposed change, https://example.com could be matched by https://example.com.evil.com . That is almost certainly why I added that slash.